FoF passport, the Laravel passport oauth extension

luceos

Invalid state is often caused by a misconfiguration, it's hard to tell without any additional information ceerker

luceos

ceerker OAuth authorization url | https://account.indieclub.one/auth/indieClubONE

Is this a redirect? Can you try using the exact non redirected url?

clarkwinkelmann

If you want to sync data between Laravel and Flarum, you'll have to implement your own logic. An easy solution would be to disallow password or email change on Flarum side (I don't think this extension does it, it requires some additional Flarum code). Then when it's edited in the Laravel app, just do an API call from Laravel to Flarum with an API Key to update the user's details. If you only use Passport for login, there's no need to even have a password on Flarum side.

clarkwinkelmann

ceerker some people have done it on their forum but I don't think anyone has released the changes as an extension.

Solaris

Hi, I just need some portion of guidance putting Laravel Passport server and my flarum app altogether. At this point I created Laravel app with Passport and generated client credentials ID and secret. I also installed Flagrow passport and specified all fields in it.
When I try to login I'm being redirected to my passport server in popup. Then I enter my user creds from Laravel site and get

Invalid error "invalid_client"
error_description "Client authentication failed"

For generating Access tokens I used php artisan php artisan passport:client and specified callback url to my flarum instance. I'm badly familiar with Laravel, so my guess there is a permission issue. Since the first question of artisian command is "Which user ID should the client be assigned to?". I don't fully understand the logic of the API. I just want all users of the laravel site (i.e. https://pass.myflarum.com) to be able to login to flarum app (https://myflarum.com) as was discussed in this thread. I just want to create general ID and secret and authorize users without Permission grant step.

clarkwinkelmann

Solaris it's hard to give advice based on just that. Can you maybe share a screenshot of your settings in Flarum (with tokens redacted) ? Did you assign the client to a valid Laravel user when creating it (ID 1 likely?)

Solaris

clarkwinkelmann Yes, I assigned it to valid user 1. Then created the second user and tested Client app with him. Still, no luck =/

Solaris

Just figured out what is going wrong with the request. My specifications of redirect url are correct but flagrow passport first request to the oauth/authorize misses a part of it;
/authorize?approval_prompt=auto&client_id=3&redirect_uri=https%3A%2F%2Fquarks.app%2Fauth%2Fpassport

I didn't notice it at first. But my app url includes /uk/. As in config.php: 'url' => 'https://quarks.app/uk'
Not sure which method grabs url but it doesn't work with my current nginx rewriting rule.

upd. I created PR for it. As it was already fixed for facebook and twitter with url generator. Now works fine.

clarkwinkelmann

Version 0.3.0 released with the fix for subfolder installs and a new option to customize the icon of the login button. Incidentally, the default icon was no longer visible since multiple betas because the name had not been updated for FontAwesome 5.

This update also brings Passport into FriendsOfFlarum.

The update is beta 12+ only because I updated the Zend namespaces to Laminas.

Updating from Flagrow

This extension replaces Flagrow Passport.

To upgrade from the old extension to the new one:

Backup your data!
Disable the Passport extension in the admin panel.
Run:

composer require fof/passport

Composer should let you know that flagrow/passport has been automatically removed.

Enable the new extension in the admin panel.
Your existing settings will be migrated to FoF Passport automatically.
You should be good to go! All URLs stay the same.

Solaris

Hello,
Hope you're doing well. I decided to play around with custom OAuth server built with Django. I've managed to integrate it with FoF Passport but noticed some strange behavior which is might not be a bug but I'd appreciate your help.

Trying to log in with newly registered (OAuth server side resource) users after authorization FoF extension authenticated some users from Flarum database. So that for every resource user token there were assigned flarum user (but with different email and username).
After cleaning access tokens and users on both sides it began to work normally. So my guess it was either tokens or ID.
I've looked through extension source code but I'm lacking php skills to understand why FoF passport needs user ID from JSON response in the first place and how it utilizes it. Could it be the issue that users with same ID where wrongly connected?

luceos

Solaris If I'm not mistaken it uses the resourceOwner, which usually is based on the email address. Creating users in Flarum is required so that these accounts can be shown as the author of content (not sure you are debating that).

Solaris

luceos Somehow it logged in users with different email than the resource owner, so I started looking for the reason. There is no concern in creating users with same email in Flarum. But ResourceOwner.php does take resource user getId() along with getEmail() and getName() from response.

luceos

Solaris it does standardise these three into methods, but they aren't used in Flarum to authorize: see https://github.com/FriendsOfFlarum/passport/blob/b7f31082736542984734f4169d3c4fc081eb17e7/src/Controllers/PassportController.php#L92

It only uses the email address to set up Registration/Log in.

chronikum

I am currently trying to get this to work on NextClouds OAuth2, but I cannot figure it out.
What do I have to enter when there's the /api/user information?

LucaAllulli

Hello. I'm trying to integrate this fof/passport with a Django based authentication provider (Django OAuth Toolkit).

Apparently, I'm stuck at the final step: getting information from the user, which should be done through the "Api URL providing user details".

I cannot figure out how this information should be provided. Apparently, the authorization provider should yield some JSON data about the user, but the client of the HTTP request (Flarum) does not pass any authorization detail (such as an access token) when it performs the API request to get user info. How can the authentication server know what user the request is about, from the "blank" HTTP request it gets?

Solaris

LucaAllulli Not sure if it is still an issue for you. But you can DM me and I'll explain this. Extension works just fine. There's a final step requires to code your own endpoint for it.

clarkwinkelmann

Sorry for the late reply for the last few questions. The best way to know exactly what URL and other parameters you need is to check out the source code of this extension as well as the documentation for the league oauth2 library that's used behind the scenes.

This extension's oauth provider basically just extends League's AbstractProvider by using the provided URL for getResourceOwnerDetailsUrl. We also use the BearerAuthorizationTrait trait that sends the token as part of an Authorization: Bearer token header, like Laravel's Passport does.

The expected response type is JSON. We're not using the ACCESS_TOKEN_RESOURCE_OWNER_ID feature of League's oauth package. Maybe we should, but while the ID is stored it's not actually used by Flarum later on at this point. The important bit is that we access the email and name attributes of the JSON object via ResourceOwner. We also trigger an event that could be used to alter the response in case your JSON object doesn't match what this extension expects. It's very likely that name isn't actually used by Flarum, so that basically leaves only email that's really required.

If your oauth system doesn't work with this extension, it should be quite easy to fork it, then customize the oauth provider and/or resourceowner code.

I hope this clarifies things.

clarkwinkelmann

jbatham see my answer above, there's some details into how this works.

clarkwinkelmann we access the email and name attributes of the JSON object via ResourceOwner. We also trigger an event that could be used to alter the response in case your JSON object doesn't match what this extension expects. It's very likely that name isn't actually used by Flarum, so that basically leaves only email that's really required

If that doesn't work, let us know and we'll try to improve the documentation.

cmwetherell

Can someone help me understand the utility of this package? What does it allow me to accomplish that core does not?

A separate question, can this be added to an existing forum, or would it mess up the login for existing users?

luceos

cmwetherell

This passport extension is a generic oauth 2 client that allows users to log in with credentials from another website that has an oauth2 server. This is exceptionally useful if you own the other website and are able to add oauth 2 server capabilities there; for Laravel a package exists that offers that functionality which is named passport, hence the name of this extension.

You should be able to use this with existing users just fine.

cmwetherell

luceos Gotcha, that makes sense. So as an example, if T-Mobile wants to use Flarum as a discussion community, they can have people logged into their website automatically logged into the forum when they go to discuss.tmobile.com (assuming they use oauth 2).

« Previous Page Next Page »